Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-32391

Link manipulation

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Reopened
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2021.0
    • Fix Version/s: None
    • Component/s: Security

      Description

      A client identified a link manipulation issue using HTTP Header injection. Client has ameliorated the issue by adding checks to the frontend, but we need to determine whether a server-side fix is warranted.

       

      Guidelines

      • Client has Nuxeo behind a load balancing URL, our reproduction environment should have the same (A Nuxeo Cloud instance will work)
      • Client used Burp Suite to intercept the search endpoint
      • Inject X-Forwarded-Host: kroll.com and examine the request response

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              hbrown Harlan Brown
              Participants:
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: